Hi
little update(s):
I think I've found something on a Russian site about the signaling
protocols.
I've also found a memory dump of the femto, but there is a major problem:
the dump is partial (ALU put 2 memories on the board) and i can only access
to the main fs of the system
ALU datas and configs are on anoter path (/opt/alu/fbsr and /mnt/mainfs)
which mounts the secondary memory, so nothing can be done.
Also the SVN at *https://forge.betavine.net/svn/voda-femtocell
<https://web.archive.org/web/20170606203549/https://forge.betavine.net/svn/voda-femtocell>*
is currently offine without any mirror.
Does anyone have a backup or a mirror somewhere?
Thank you and best regards
Il giorno mer 28 nov 2018 alle ore 00:32 Alex <allexander.alex(a)gmail.com>
ha scritto:
Hi Domi,
it will be fantastic if you can share the results of your research,
especially the IPSEC part!
Now I'm trying to emulate the secgw on my machine, but it's a black box
problem without the serial console.
Thank you!!!
Il giorno mar 27 nov 2018 alle ore 23:43 Tomcsányi, Domonkos <
domi(a)tomcsanyi.net> ha scritto:
> Hi Alex,
>
> I have a couple of those femtocells (Vodafone UK SureSignal versions 1.5
> and 2.0). I did some research on them abour 4-5 years ago I think.
> The SureSignal uses an embedded crypto chip to generate keys IIRC. I also
> had the chance to have a look at a rooted board for some time (it was lent
> to me). The THC wiki has pretty much all the info about the board.
> I also was not able to find any UART or serial port on it when I looked.
> I wanted to dump the flash but then got busy with other stuff. Maybe the
> debug fuses are blown in the factory as well.
> Anyways if you wish to do tests or try out something with the device(s) I
> can dig them up, they must be somewhere in my cabinet.
> As far as I remember though the actual femtocell implementation is a
> closed source binary blob, but strongswan (or maybe openswan? I cannot
> recall exactly) is used for the IPsec part, terefore I have a source code
> tree downloaded somewhere as well. Alcatel or Vodafone stayed compliant to
> GPL so the code was released. If only we were able to reconfigure the
> strongswan daemon on the device then we could connect it to your network.
> Provisioning of some parametere (e.g. frequency, Routing Area Code, allowed
> IMSIs) is done via XML files I think inside the ipsec tunnel.
> Now back to changing the ipsec configuration: dumping the flash and then
> changing the config would be a good way to do it, although that would not
> be a generic solution, but as a pilot it could just work.
> I am also not sure if there are any cryptographic signatures protecting
> the firmware, but I would guess probably not.
>
> Sorry for the inconsistent rambling this email turned into, I wrote
> things as they surfaced from the back of my brain, hidden parts of my
> memory :)
>
> Cheers,
> Domi
>
> 2018. nov. 27. dátummal, 19:57 időpontban Alex <allexander.alex(a)gmail.com>
> írta:
>
> Hi,
> little UP:
>
> Vodafone UK and other OpCo like it (VF DE and VF GR I think) made a local
> femtocell network based on similar platform from ALU.
>
> Does anyone know something/ever tried to make something like connecting
> one of these devs to osmoHNBGW or similar?
> Thank you and best regards
>
> Il giorno mar 27 nov 2018 alle ore 19:56 Alex <allexander.alex(a)gmail.com>
> ha scritto:
>
>> Hi,
>> thanks for the answer!
>>
>> This femto seems to have a discrete simcard (it has empty slot
>> accessible from the external).
>>
>> I don't know the setup used by the original operator (TelecomItalia),
>> because I bought it from ebay.
>>
>> I found a possible reset procedure (still to be tested), but I don't
>> think it will "unlock" the board.
>> Now I'm trying to find the UART on the board, but on the testpoints i
>> only see "control" signals and clocks. Nothing seems to be a serial
port
>> pattern on my oscilloscope.
>>
>> On this site
>>
https://web.archive.org/web/20170707063235/https://wiki.thc.org/vodafone
>> there are some information on a really similar cell (9361 I think) from
>> Vodafone, which has a relly similar IPSEC config, but there ins't any spec.
>>
>> No one tried to disassemble it or do have just the serial pinout on the
>> board?
>>
>> On the other side I've already deployed the CN part (HLR + MSC + SSGN +
>> GSGN + STP + MGW + HNBGW), which seems to be fully operational, but i can't
>> test without a test cell.
>> I also thing the IuH protocol of this femto is little out-of-standard,
>> but from ALU documentation I can't understand the differences with standard
>> IuH.
>>
>> The idea is to implement ALU's IuH variant on HNBGW if i can take traces
>> from a "lab" env, but without the femto it's just impossible.
>>
>> Il giorno mar 27 nov 2018 alle ore 18:17 Tomcsányi, Domonkos <
>> domi(a)tomcsanyi.net> ha scritto:
>>
>>> Hi Alex,
>>>
>>> Femtocells are provisioned with operator data - certificates/keys to be
>>> able to talk to the gateway.
>>> Some femtocells use EAP-SIM with an embedded SIM card, others just rely
>>> on the configuration. If your femto supports a SIM card you can use a SIM
>>> card with a known Ki to connect it to your gateway (strongswan I assume).
>>> If however there is no SIM card support in the femtocell then you need
>>> to somehow re-provision the device - probably using a proprietary software
>>> and method.
>>> Sorry, this is probably bad news for you.
>>>
>>> Kind regards,
>>> Domi
>>>
>>>
>>> 2018. nov. 27. dátummal, 9:33 időpontban Alex <
>>> allexander.alex(a)gmail.com> írta:
>>>
>>> Hi to everyone!
>>>
>>> I'm a new member and I really appreciate the work done here!
>>>
>>>
>>> I'm trying to use Alcatel Femtocells (ALU 9361/9362/9363) with
>>> osmo-hnbgw, but I'm still blocked at the IPSEC tunnel step.
>>>
>>> I've created an IPSEC server with EAP support, but I suspect there is a
>>> problem with my self signed certificate.
>>>
>>> Probably the femtocell has an internal trusted CA which validates
>>> server certs.
>>>
>>>
>>> I din't find the console pins on the board also, so I cannot simply
>>> connect to it and have a look at the system level.
>>>
>>>
>>> Has anyone any experience with this kind of HW or just an idea about a
>>> possible work around?
>>>
>>>
>>> Thank you and best regards
>>> Alex
>>>
>>>